HIP 62: PoC Witness IP Check

[hiptron]

• Author(s): @H-Baguette
• Start Date: 2022-05-24
• Category: Technical
• Original HIP PR: HIP draft – PoC Witness IP Check #414
• Tracking Issue: HIP 62: PoC Witness IP Check #422

Rendered view

Read the HIP:

https://github.com/helium/HIP/blob/main/0062-poc-witness-ip-check.md

Summary

Prevent spoofing by checking each witness's IP address against the beacon's IP address and other witnesses' IP addresses, while still allowing witnesses sharing the same IP address as the beacon to be considered valid under specific yet rather accessible conditions.

Additionally, prevent spoofing farms from hiding their miners behind VPNs by heavily restricting the use of VPNs on Helium hotspots.

[jsloane]

I have some concerns with this proposal.

1. This would be trivial to circumvent by purchasing an IP block from your ISP (normally available on business plans).
2. This would impact legitimate setups where hotspots share a common internet connection.
   For example, a remote farm could have several hotspots 500m apart, connected back to the common internet connection via long range WIFI links. Being a remote farm, there are no "valid" hotspots to offset the "irregular" hotspots.
   This is 100% legitimate and I would not expect this setup be required to changed to adhere to inferior requirements.
3. The way a VPN defined could be unreliable. IP Geolocation databases may not be updated frequenctly especially after change of ownership of IP blocks, and the actual location of an IP service could be inaccurate by hundreds or thousands of kilometers.
4. IPv6 is the future, and in a well configured IPv6 environment, each device has a unique IP address.

[kevinbrooksby]

I echo these similar concerns, I have a couple of wide spread point-to-multi-point ubiquiti airmax sites w/ legitimate hotspots deployments at these locations that are linked over 5-15km wireless bridge links (1-2ms latency back to 'headend' bridge) that are providing valuable network coverage while hairpinning back through same LAN to WAN internet gateway. NOT cool at all if this tramples my rather unique solution, I know I may be an edge case but some thoughtful engineering needs to be taken into account for us types of 'outside the box' thinkers with the skillet and aptitude to deploy such novel architectures which benefit 'the people's network'. Certainly these types of valid deployments should not be punished.

[biffbash]

you should not be penalising people for having proper point to point setups.
https://ubiquitistore.com.au/product/ubiquiti-nanobeam-ac-19dbi-5ghz-802-11ac-gen2-450-mbps-range-15-km-nbe-5ac-gen2-au/

legitimate Point to point setups can be far longer than the 300m, listed above is a entry level model that does 15km.
we ask that you fix your flawed HIP instead of having the audacity to request "change their connection, change their location, or encourage the birth of new hotspots in their area." with no consideration for the time and money businesses often spend to have these systems in place.

and CGNAT is present for most mobile providers and some fixed providers, so you would nerf 4g functionality ( for outdoor miners with sim cards ) straight away and regular hotspots on a fixed home connection.
Public locations such as universities if on their network would face similar issues.

users behind CGNAT will have an issue with this implementation because this change will make hotspots unduly affected unfit for purpose of intended use.

VPN use is legitimate also for businesses or those who live at a university or behind a NAT to NAT and for security .
also regular users will be affected for example those who are using ICS(internet connection sharing) via their PC to their hotspot if they decide to use a VPN for any reason such as work or to watch netflix.

additionally for those who arent beind cgnat , the majority IPs are dynamic from ISP (unless a static ip is requested, or comes as part of the plan) , so it changes when you d/c or when your IP lease ends , resulting in an innocent users continually getting a banned IP for a dynamic IP allocated to them.

the scope of this HIP affects alot more people than a "few" as mentioned in the HIP ,trying to ban by IP is flawed & targetting VPNs are a terrible idea.

[karakemal80]

This hip is will be a very bad idea for detecting spoofers. You will detect innocent miners which behind cgnat or using dynamic ips. İ live in a residence of multiple blocks around 4 or 5 km Square with a public wifi for People living here.
With this hip only one hot spot can witness all others are spoofers?
You should re consider this hip for sure.
People with this or similar scenarios will be not few, lots of People may face this wrong spoofers detecting mechanism that hip using and they will be invalided falsely.
On average most normal home users in here are behind cgnat with a dynamic ip.
You can not expect everyone with a statik ip therefore ipv4 ips are about the finish all over the world and ipv6 is not being Used effectively.

[NkkVr]

Hip 62 will do nothing but punish honest people because of cheaters, just like the 100 km rule brings. It is ignored that a different IP address can be obtained for each device. it protects cheaters and punishes honest people. How Does; If my device throws a beacon and 2-3 or more of those cheaters' devices witness, their testimony will be invalid, but what will my beacon reward be?
I don't know if it's technically possible, can "location not in claimed place" be the reason for invalidity? The witness receiving device may have RSSI, SNR and (x, y, z three-dimensional position) calculated for the witness it receives. If he sends a signal from this device to his beaconer, and if these two signal values are compared, the ones outside a certain tolerance value are considered invalid.
If a lora device communicates with three gateways, it can detect its location, the greater the number of gateways contacted, the higher the location accuracy.
By making use of Lora signals, the actual location of each device can be determined. Of course, this is possible by writing an algorithm. I guess the helium team can write code algorithm for this. By comparing the position information of the device antenna recorded in the system and the position determined from the lora signals, it can be interpreted with a certain limit tolerance value.
This is the healthiest and surest solution. why don't they try to use it.
IP checking does not give the desired result, it only punishes honest people.

[andrebrei]

I have some concerns about this proposal in its current form that it will penalize valid hotspot owners in an disproportional way compared to "cheaters".

I'm one of those hotspot owners who's GeoIP is constantly misreported to be in the wrong country except for high intelligence accuracy (but expensive) GoeIP providers. Note that there is no requirement for an IP to be assigned an geographic location. The whois registration is the location of owning entity and can be vastly different from the actual device location. Everything else is either educated guessing or private discussions.

Similarly in an different location the only viable option is cellular (4G/5G) via one specific provider. That provider's CGNNAT is so bad (connection lifetime, IP affinity) that it is not usable without VPN even for simple web browsing. So depending on VPN detection this may cause my hotspot to be flagged too (in this case VPN GeoIP and actual location is in the same country but the IP has an high potential to be flagged as "data center").

On the other side, how much of an effort is it for an cheater to adapt? The majority of the cost is likely for the first device (e.g. getting an static IP enabled) while cost comes rapidly down per device with additional devices (e.g. get an full network routed). I suspect the cost increase will be too low to substantially reduce the amount of cheaters.

With that it feels like that it has an potential to reduce real coverage more than it penalizes cheaters.
Have there been any statistics compiled yet in terms of how many hot spots will be impacted in total and tried to establish an split of false positives/unclear/"cheaters"?

I'm not sure CGNAT has an real impact here right now because the p2p requirement for full miners will be broken already. That might change with the p2p requirement going away eventually.
Similarly I don't think IPv6 will really help in this discussion because it will lower the difficulty for cheaters in the same way that it allows good hotspots to gain an unique IP.

Last I'd wonder if other options have been considered like an incentive to build a "trust" network or "war drive" hotspots to either independently assert or challenge an location/coverage. Like done for other technologies e.g. cellmapper for cellular.